Skip to main content
Research:
Research
15 Sep 2022

Conduct

Financial Services Internal Audit Planning Priorities 2023

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2023. We hope this informs your 2023 planning and assurance approach.

4.1. Consumer Duty

Why is it important?

In July 2022, the Financial Conduct Authority (FCA) published its final rules on the Consumer Duty which will be effective from 31 July 2023. The impact of Consumer Duty on Financial Services (FS) firms are unprecedented and they represent a ‘paradigm shift’ across organisations which will require significant strategic and operational change across all areas of a firm. The Duty will also require an annual board attestation with an annual opinion on the adherence to the rules of the Duty. Given the breadth and depth of the activity to implement Consumer Duty requirements, relevant firms are taking action now. Internal Audit should consider whether a standalone review of Consumer Duty in close proximity to the implementation date will be sufficient. It is likely the Audit Committee would expect Internal Audit to have a comprehensive assurance roadmap to provide assurance across the programme, at every step of its journey, from inception to the operational effectiveness of new business as usual (BAU) controls.

 

What’s new?

The Consumer Duty introduces a new principle “A firm must act to deliver good outcomes for retail customers”. This is underpinned by new overarching cross-cutting rules; act in good faith towards retail customers; avoid foreseeable harm to retail customers; and enable and support retail customers to pursue their financial objectives. To achieve this, the FCA have highlighted four outcomes for the key elements of the firm-consumer relationship:

  • Outcome 1: Products and Services. Though covering much of the same ground as the existing FCA guidance on the Responsibilities of Product Providers and Distributers (RPPD), the requirements of this outcome are more prescriptive and will require firms to revisit, and potentially strengthen, aspects of their product governance arrangements. Though firms currently identify target markets, in our experience, these assessments are often high-level and, for some products, may be insufficiently granular to meet the requirements of this outcome, particularly for products considered to be “mass retail”.
  • Outcome 2: Price and Value. The Duty requires manufacturers to ensure that their products or services provide fair value to retail customers, taking into consideration the nature of the product or service (including the benefits that will be provided), any limitations on the product or service, the total price customers are expected to pay and any characteristics of vulnerability in the target market.
  • Outcome 3: Consumer Understanding. The requirements under this outcome build on, and go further than, Principle 7 by requiring firms to focus much more on consumer understanding throughout the customer journey. Firms need to review their approach to communicating overall, ensuring they are equipping consumers to make effective, timely and properly informed decisions and are not communicating in a way which exploits consumers’ information asymmetries and behavioural biases.
  • Outcome 4: Consumer Support. The consumer support outcome aims to set an appropriate standard of support that all firms must provide, so that consumers can use products and services as anticipated and do not face unreasonable barriers. Firms are already expected to ensure that customers do not face unreasonable post-sale barriers under the FCA’s existing Consumer Outcomes, but the Duty spells out what this means in more detail.

 

What should Internal Audit be doing?

Area of Focus

Programme Set-Up 		Description

  • Internal Audit Driver: Has a Consumer Duty Programme been set up appropriately?
  • Considerations: Does the programme have an Executive sponsor, and are appropriate governance arrangements in place to provide oversight, with activities prioritised appropriately? Does the Board have sufficient awareness and input into the Programme? Are they aware of their responsibility for annual attestations? Is the resourcing plan sufficient to deliver the programme, with competing priorities and business availability well understood?
Discovery and Planning ​
  • Internal Audit Driver: Does the business have adequate knowledge, capability and capacity to appropriately interpret and assess requirements, and form an appropriate gap analysis? Are action plans in place to address the gaps sufficient?
  • Considerations: Are actions appropriate? Do teams have the appropriate capacity and capability to undertake such large-scale change? Is the Second Line appropriately segregated from the First Line to provide an independent view? Has external SME support been utilised? Do Internal Audit already have a view on control environment based on previous audits?
Design and Build ​
  • Internal Audit Driver: Is the design of newly created or enhanced controls appropriate to meet the requirements of the Consumer Duty?
  • Considerations: Can the business clearly evidence the changes made to policies, processes, and systems? How have expectations of Board regarding the annual assessment requirements been factored into process design and build? How will issues be escalated to give the Board oversight of activity they are responsible for?
Embedding and Assurance ​
  • Internal Audit Driver: Following the design assessment of controls, are the controls operating effectively?
  • Considerations: Does your planned testing programme contain adequate coverage of all changes made as a result of the programme? Is the information included for the purposes of annual Board assessment reliable, and has it been validated? Is First and Second Line assurance providing the appropriate level of coverage? Does it demonstrate that customer outcomes are appropriate?

 

Key contacts: Michael Scott and Lyndsey Fallon

4.2. Improving the Appointed Representatives Regime

Why is it important?

The Financial Conduct Authority (FCA) continues to put strong focus on ensuring products and services are delivering fair outcomes for consumers. More recently, the FCA’s Business Plan for 2022/23 noted the role of Appointed Representatives (ARs) would also be an area of focus, recognising a range of harm across all sectors where firms have ARs, often due to limited due diligence before appointing an AR and have a lack of robust ongoing oversight. The FCA launched consultation paper CP21/34: Improving the Appointed Representatives regime, in December 2021 to propose changes to the AR regime. His Majesty’s Treasury (HMT) also published a call for evidence on how market participants use the AR regime and how effectively the regime works in practice. Both consultations closed on 3 March 2022. Specifically, the FCA ‘s consultation paper proposes updating the AR regime to require Principals to provide additional and more timely information on their ARs and seeks to clarify and strengthen the responsibilities and expectations of Principals. Given the focus of the Regulator on ARs and the additional reporting requirements, it is important that Internal Audit teams consider focused assurance activity in this area, particularly in the robustness of a firm’s supervision and oversight framework, and readiness to obtain sufficient data and information required under the proposals.

 

What’s new?

  • The AR regime was originally established to allow regulated activities to be undertaken by firms and individuals without the need to be directly authorised with the FCA. The regime is based on a Principal firm (which is authorised with the FCA) taking responsibility for the conduct of the AR. The CP 21/34 proposals looked to strengthen Principals' oversight of ARs and improve the information provided to the FCA in order to reduce potential harm to consumers and ensure that good customer and market outcomes are achieved. The final rules were published during August 2022 via Policy Statement PS 22/11 with implementation due in December 2022.
  • The recent FCA Business Plan states the regulator will undertake more “assertive” supervision of high-risk Principals, whilst also continuing to work with HMT on possible legislative changes to the AR regime. The consultation paper builds on previous thematic reviews conducted by the FCA across the Insurance and investment sectors during 2018 and 2019. Significant shortcomings were identified in Principals’ understanding of their regulatory obligations in relation to their ARs, with controls related to regulatory activities of ARs for which a Principal has accepted responsibility being categorised as “inadequate”.
  • Furthermore, the FCA found that ARs account for significantly more issues compared to directly authorised firms, with “Principal firms using ARs generating 50 to 400 percent more complaints and supervisory cases”. The reduction and prevention of such harm will be a key focus of the Regulator in the coming months, and complaints data will be a key tool the FCA will use to measure the success of Principals’ monitoring, oversight and management of ARs.
  • Ultimately, the FCA want to ensure consumers are better informed through access to improved and quality information on principals and ARs to make good decisions when choosing products or services that best suit consumers needs.

 

What should Internal Audit be doing?

Area of Focus

Information Reporting Requirements for Principals Working with ARs

Description

Whilst the FCA already expects firms to have sufficient information and knowledge of the business interests and activities of their ARs, the updated proposals require Principals to provide additional details on their ARs. The additional data and reporting requirements may create complexities for a Principal’s current mechanism for capturing and reporting information on ARs as it is likely firms do not currently capture some of the updated information. One such example is the new requirement to report revenue data for regulated and non-regulated business activities for each individual AR. Internal Audit should review and assess the controls for capturing and reporting such AR information, identifying any gaps in management information, including the current timeliness of reporting of data versus the ability of a firm to report data in line with the updated proposals.

 
Oversight of ARs ​

One of the key drivers of harm identified by the FCA is a lack of appropriate oversight of ARs. The FCA have said that in order to better identify problematic ARs and ascertain potential weaknesses in supervision, firms need to review the robustness of their supervision and oversight. This provides assurance that systems are in place to anticipate oversight of ARs to a “comparable standard” of any individual directly employed by a firm and that controls effectively mitigate the risk of AR activities resulting in undue risk to consumers or to market integrity. Internal Audit should pay particular attention to the design and operational effectiveness of ongoing oversight arrangements, which should include but is not limited to, assessing the suitability of a firm’s target operating model to meet the requirement of a firm to have sufficient resources to operate adequate controls and oversight.

 
Complaints ​

Firms currently provide complaints data to the FCA in aggregation at a Principal-level. However, the new proposals will require firms to submit complaints data at individual AR level. Firm’s will need to review and assess their complaints handling process, procedures and current reporting arrangements to ensure identification of issues leading to potential or actual harm are addressed by a firm more quickly. Internal Audit should assess the proactivity of the Principal to prevent and mitigate potential harm caused by their ARs.

 
 
Key contacts: Michael Scott and Lyndsey Fallon
 

 

4.3. Consumer Affordability - Cost-of-Living Crisis Impact

Why is it important?

The Financial Conduct Authority (FCA) has acknowledged that creditworthiness and affordability assessments are not an exact science, and that a change in the customer’s circumstances or wider economic events can impact affordability. The wider economic impact following the Covid-19 pandemic brought additional scrutiny over the affordability controls that firms have in place to ensure that funds are being lent responsibly and whether this has resulted in fair outcomes for consumers. The UK is also experiencing the greatest rise in consumer prices in nearly 50 years with inflation anticipated to exceed 13 percent (as noted by the Bank of England and reported by BBC News on 22 August 2022) over the next 12 months and it is forecast that wage increases will not keep pace with rising prices over the coming months and years. This is already starting to contribute to a “cost-of-living" crisis in the UK which is likely to provide further disruption in the retail lending market when firms are assessing affordability and supporting customers in financial difficulty. The FCA has already outlined their concerns to the industry in recent speeches and ‘Dear CEO’ letters to lenders.

 

What’s new?

  • The FCA updated its Consumer Duty proposals in December 2021 (CP21/13: A new Consumer Duty), which was finalised in July 2022 with implementation set for July 2023 (also refer to section 4.1). These changes are seen as a ‘paradigm shift’ in the way firms are expected to treat retail customers across the financial services industry.
  • Whilst the full impact of Covid-19 to household income and affordability was masked in part by the impact of Government Support Schemes, the pandemic has challenged long-held assumptions around household expenditure. With some expenditure such as transport and leisure reducing overnight, and surges in other things such as energy costs due to time spent indoors, the ability to rely on the habits of the past to predict the spending of the future was immediately disrupted. Other events such as Brexit, rising energy and fuel costs, national insurance, and council tax increases has generated a toxic mix of economic challenges which has culminated in a cost-of-living crisis, placing additional pressures on individual consumer spending habits and affordability. The speed of change, and the range of factors mean that customers are facing financial pressure now, with more expected based on inflation and interest rate forecasts.
  • The FCA have issued a ‘Dear CEO’ letter on the 16th June 2022 to more than 3,500 lenders to remind them of the standards they should meet as consumers across the country are affected by the rising cost of living. With household bills expected to continue to rise into the autumn, it is important that firms act now to make sure borrowers struggling with payments and customers in vulnerable circumstances can access the help they need.

 

What should Internal Audit be doing?

Area of Focus

Assessing Affordability

Description

In light of the existing cost of living crisis, Internal Audit should consider if further scrutiny is required on controls used to assess income and expenditure which typically relies on historical information and may not reflect the recent impact of inflation. This may include the accuracy of ONS, open banking and behavioural data, to ensure that any potential price rises are accurate and representative of the cost of living within the UK for an average household based on their household composition and location. Internal Audit should also consider whether there are appropriate controls / governance in place to provide assurance regarding the approval/decline of cases with marginal affordability.

 
Pre-Emptive Action ​

Review and consider the processes and controls in place to identify consumers that are at risk of falling into financial difficulties and the contact strategies / forbearance options in place to support these consumers. This should consider whether models or analytics are used to identify at-risk customers and to drive proactive strategies to contact customers at higher risk of harm as a result of the cost of living crisis. Internal Audit should also ensure that firms do not have any policies, processes or systems that prevent customers accessing support or forbearance when they are in pre-arrears, such as waiting for the customer to miss a payment before they will discuss options.

 
Appropriate Forbearance ​

When dealing with customers in financial difficulties, firms are required to treat customers with due care and consideration, ensuring that appropriate forbearance is offered in line with regulatory requirements. Internal Audit should review the design adequacy, operational effectiveness and sustainability of forbearance options, as well as oversight activity, to ensure that firms are adequately supporting borrowers and providing tailored forbearance and debt help to those in financial difficulty.

 
Capacity Planning ​

We expect that there will be an increased demand from both collections in-flows but also customers wishing to engage at the pre-arrears stage who may require a more holistic conversation. Internal Audit should review the book under a stressed environment (factoring in predicted rise in inflation) to consider whether there are sufficient capacity planning procedures in place to ensure that firms have the resources available to support customers experiencing any payment difficulties.

 

Key contacts: Michael Scott and Lyndsey Fallon

Back to Financial Services Internal Audit: Planning Priorities 2023

Did you find this useful?

Yes
No

Thanks for your feedback

If you would like to help improve Deloitte.com further, please complete a 3-minute survey

Your feedback is important to us

To tell us what you think, please update your settings to accept analytics and performance cookies.

Need help updating cookies?

Recommendations

Financial Services Internal Audit | Regulatory | Deloitte UK

Research

Financial Services Internal Audit | Governance, Risk Management & Culture | Deloitte UK

Research

Financial Services Internal Audit | Internal Audit Strategies & COVID-19 Recovery | Deloitte UK

Research